473,883 Members | 1,833 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

email injection query

Up to the other day I have not bothered protecting my php script on my
feedback form against email injection. Howerver, i have had a spammer using
it to insert email addresses as cc: bc: into my email field. First I was
puzzled why he was doing it as the message being sent was just jibberish. I
have recently used a function to protect these fields and send an email back
to myself with his details. function below

function spamcheck($spam med_field,$retu rnpage) {
$spammed_field= strtolower($spa mmed_field);
if((eregi("cc:" ,$spammed_field ))||(eregi("sub ject:",$spammed _field))) {
//(eregi("bcc:",$ spammed_field)) ||
$spamhost=$_SER VER['REMOTE_HOST'];
$spamrefr=$_SER VER['HTTP_REFERER'];
$spamaddr=$_SER VER['HTTP_X_FORWARD ED_FOR'];
if(strlen($spam addr)<7) { $spamaddr=$_SER VER['HTTP_CLIENT_IP ']; }
if(strlen($spam addr)<7) { $spamaddr=$_SER VER['REMOTE_ADDR']; }
$thisfile=$_SER VER['SCRIPT_NAME'];
$spamtext="FILE : $thisfile \nFROM: $spamrefr \nADDR: $spamaddr \nHOST:
$spamhost \nINFO:\n$spamm ed_field\n";
mail("sp******* @mysite.co.uk", "ALERT: $spamaddr",$spa mtext,"From: IDD
Software Spamcatcher <sp*******@mysi te.co.uk>\r\n") ;
//echo();
die("<br><br><d iv align='center' class='RedWarni ng'>If you are a spammer
trying to inject script into my input fields, then go away and get a
life<br>otherwi se<br>Please try again as you may have included some
incorrect characters.<br> <br><a href='".$return page."'
class='BodyLink '>Return</a></div>");
}
}

This function should cause the attempt to spam to die and send info about
the spammer and he injected script to me which it does brillantly. But now
Im getting more of these notices of spamming than I was getting originally
spammed messages with many more emails in the cc: bcc: and a proper message
(just sales stuff about tea oil). Why is he still attempting this if the
spam is not working and being sent to the recipients. I have an appropriate
message displayed when the spam is attempted. Is he stupid and just sitting
there trying to spam my feedback form even though he is getting this message
telling him to go away, or is do you think there is some sort of automatic
process being run on my webpage?

Is there a way to return an email to him everytime its attempted?
The function returns his address eg ADDR: 203.198.162.124 . but it changes
everytime. I dont know much about the antics and abilities of spammers (but
learning). Can anyone tell me why hes doing it still?
Dec 4 '06 #1
5 1844
Tom
Is he stupid and just sitting
there trying to spam my feedback form even though he is getting this message
telling him to go away, or is do you think there is some sort of automatic
process being run on my webpage?
Almost assuredly the latter. I had a test page I had put up once with
a form on it. All the form did was email me the textarea contents.
When I had finished my testing with the form, I commented out (but did
not delete) the form. Every once in a while I still get a spam message
from the form.

I don't know for sure, but I would guess that anybody making any money
doing this is doing it with bots.

Maybe you could create an RSS feed from the spams you get? I'd be
curious to see other responses.

Tom

On Dec 4, 11:07 am, "mantrid" <ian.dan...@vir gin.netwrote:
Up to the other day I have not bothered protecting my php script on my
feedback form against email injection. Howerver, i have had a spammer using
it to insert email addresses as cc: bc: into my email field. First I was
puzzled why he was doing it as the message being sent was just jibberish. I
have recently used a function to protect these fields and send an email back
to myself with his details. function below

function spamcheck($spam med_field,$retu rnpage) {
$spammed_field= strtolower($spa mmed_field);
if((eregi("cc:" ,$spammed_field ))||(eregi("sub ject:",$spammed _field))) {
//(eregi("bcc:",$ spammed_field)) ||
$spamhost=$_SER VER['REMOTE_HOST'];
$spamrefr=$_SER VER['HTTP_REFERER'];
$spamaddr=$_SER VER['HTTP_X_FORWARD ED_FOR'];
if(strlen($spam addr)<7) { $spamaddr=$_SER VER['HTTP_CLIENT_IP ']; }
if(strlen($spam addr)<7) { $spamaddr=$_SER VER['REMOTE_ADDR']; }
$thisfile=$_SER VER['SCRIPT_NAME'];
$spamtext="FILE : $thisfile \nFROM: $spamrefr \nADDR: $spamaddr \nHOST:
$spamhost \nINFO:\n$spamm ed_field\n";
mail("spamch... @mysite.co.uk", "ALERT: $spamaddr",$spa mtext,"From: IDD
Software Spamcatcher <spamch...@mysi te.co.uk>\r\n") ;
//echo();
die("<br><br><d iv align='center' class='RedWarni ng'>If you are a spammer
trying to inject script into my input fields, then go away and get a
life<br>otherwi se<br>Please try again as you may have included some
incorrect characters.<br> <br><a href='".$return page."'
class='BodyLink '>Return</a></div>");
}
}

This function should cause the attempt to spam to die and send info about
the spammer and he injected script to me which it does brillantly. But now
Im getting more of these notices of spamming than I was getting originally
spammed messages with many more emails in the cc: bcc: and a proper message
(just sales stuff about tea oil). Why is he still attempting this if the
spam is not working and being sent to the recipients. I have an appropriate
message displayed when the spam is attempted. Is he stupid and just sitting
there trying to spam my feedback form even though he is getting this message
telling him to go away, or is do you think there is some sort of automatic
process being run on my webpage?

Is there a way to return an email to him everytime its attempted?
The function returns his address eg ADDR: 203.198.162.124 . but it changes
everytime. I dont know much about the antics and abilities of spammers (but
learning). Can anyone tell me why hes doing it still?
Dec 4 '06 #2
On Mon, 04 Dec 2006 19:07:17 GMT, mantrid wrote:

<-snip->
Im getting more of these notices of spamming than I was getting originally
spammed messages with many more emails in the cc: bcc: and a proper message
(just sales stuff about tea oil). Why is he still attempting this if the
spam is not working and being sent to the recipients. I have an appropriate
message displayed when the spam is attempted. Is he stupid and just sitting
there trying to spam my feedback form even though he is getting this message
telling him to go away, or is do you think there is some sort of automatic
process being run on my webpage?
Most certainly you're being targeted by a botnet controlled by a spammer.
The 'nonsense' emails you first saw were "proof of concept" testing
before your URL was passed out to hundreds of "working" machines in the
botnet. Most certainly no Real Person is viewing anything that you
present on the screen. At most the http return code(s) and, maybe, some
screen scraping for successful results are sent back upstream to the
slime ball running the botnet.
Is there a way to return an email to him everytime its attempted?
No. The machine address you see is a cracked box. Most likely running
an unpatched Micro$oft OS. There'll be no MTA on that machine. Who
ever (wrongly believes they) owns it, probably has an ISP that is
unrelated to the IP address you see.
The function returns his address eg ADDR: 203.198.162.124 . but it changes
everytime. I dont know much about the antics and abilities of spammers (but
learning). Can anyone tell me why hes doing it still?
Because he can.

I have a PHP message board I wrote. I have deployed it to 3 sites on a
domain I own. In robots.txt I correctly specified a Disallow for 2 of
those URLs (sub-directories). For the third one I slipped up and never
got it covered by my robots.txt. That's the one they hit (with their
http://replica_rolex/designer_handba...hentermine/etc.
spam.) Obviously they found it because Google found it. It's easier
for the spammers to use Google to find their targets that to manually slog
through the web. My checking showed it *was* indexed by Google and the
other 2 were not.

I have since moved _that_ message board to a different sub-directory and
updated robots.txt to properly Disallow it by robots. (Yes, I know --
there are good bots and evil bots. But, after 4 years with these
message boards up there, only this 'exposed' one was hit.)

I continue to 'run' the spammer-targeted message board as a 'test bed'.
It's given me the knowledge to "harden" my PHP message board, and
I've added logging of all activity to that URL. I give the spammer(s) a
lot of phoney, positive feedback on the posting attempts from the
botnet(s). (I now believe there are at least two different botnets
visiting my message board. I suppose these sewage slugs exchange
information amongst themselves v-a-v 'useable' message boards.

My 'test bed' message board is now un-linked from anywhere -- 'they' are
using the deep link to get at it. I now have most of RIPE and APNIC in
my 'deny from' in my .htaccess in that sub-directory -- a lot of
sub-nets in LACNIC, too -- and quite a few cracked machines in the ARIN
ranges.

Since all 3 message boards are for purposes that are U.S.A.-centric, I
move that .htaccess into the 3 'good' message boards sub-directories as
I update it.

One interesting observation: A great majority of the URL's that they
(attempt to) post on my message board are redirecting URL's on cracked
..edu machines. There seems to be a fairly popular piece of software out
there that many colleges and universities put up for instructor-student
discussion purposes. (My guess...) There are A LOT of URL's -- to wit:

sched.sbu.edu/faculty/czuck/ce660/_disc3/0000265c.htm
students.concor d.edu/tah/_reqdis/000006b9.htm
matcmadison.edu/ald/_discussion/000003f7.htm
svanpatt.asp.ra dford.edu/_disc1/0000071e.htm
http://www.biotech.sfasu.edu/bt/btc5...n/00006a90.htm
forums.maxwell. syr.edu/geo595/_disc1/00000374.htm
student.ttuhsc. edu/sota/_disc3/00009bb0.htm
org.jsr.vccs.ed u/flpg/_disc1/00004f6b.htm
http://www.biotech.sfasu.edu/bt/btc5...n/00006a90.htm
lanic.utexas.ed u/pyme/esp/discus/messages/7/cheap-cialis.html

... and on, and on, and on -- ad nauseam.... 100's of different ones.
Every one I bothered to click on resulted in an instant redirect to the
spam URL elsewhere.

Keep up The Good Fight
Jonesy
--
Marvin L Jones | jonz | W3DHJ | linux
38.24N 104.55W | @ config.com | Jonesy | OS/2
*** Killfiling google posts: <http//jonz.net/ng.htm>
Dec 4 '06 #3
"Allodoxaphobia " <bi********@con fig.comwrote in message
news:sl******** *************** @shell.config.c om...
On Mon, 04 Dec 2006 19:07:17 GMT, mantrid wrote:

<-snip->
Im getting more of these notices of spamming than I was getting
originally
spammed messages with many more emails in the cc: bcc: and a proper
message
(just sales stuff about tea oil). Why is he still attempting this if the
spam is not working and being sent to the recipients. I have an
appropriate
message displayed when the spam is attempted. Is he stupid and just
sitting
there trying to spam my feedback form even though he is getting this
message
telling him to go away, or is do you think there is some sort of
automatic
process being run on my webpage?

Most certainly you're being targeted by a botnet controlled by a spammer.
The 'nonsense' emails you first saw were "proof of concept" testing
before your URL was passed out to hundreds of "working" machines in the
botnet. Most certainly no Real Person is viewing anything that you
present on the screen. At most the http return code(s) and, maybe, some
screen scraping for successful results are sent back upstream to the
slime ball running the botnet.
Thanks
Very informative reply.
The function I have uses eregi() to check POST data for "cc:" and "subject:"
what other checks should I be using in my function to tighten my security
further?
Ian
Dec 5 '06 #4
On Tue, 05 Dec 2006 17:23:11 GMT, mantrid wrote:
"Allodoxaphobia " <bi********@con fig.comwrote in message
news:sl******** *************** @shell.config.c om...
>On Mon, 04 Dec 2006 19:07:17 GMT, mantrid wrote:

<-snip->
Im getting more of these notices of spamming than I was getting
originally
spammed messages with many more emails in the cc: bcc: and a proper
message
(just sales stuff about tea oil). Why is he still attempting this if the
spam is not working and being sent to the recipients. I have an
appropriate
message displayed when the spam is attempted. Is he stupid and just
sitting
there trying to spam my feedback form even though he is getting this
message
telling him to go away, or is do you think there is some sort of
automatic
process being run on my webpage?

Most certainly you're being targeted by a botnet controlled by a spammer.
The 'nonsense' emails you first saw were "proof of concept" testing
before your URL was passed out to hundreds of "working" machines in the
botnet. Most certainly no Real Person is viewing anything that you
present on the screen. At most the http return code(s) and, maybe, some
screen scraping for successful results are sent back upstream to the
slime ball running the botnet.

Thanks
Very informative reply.
The function I have uses eregi() to check POST data for "cc:" and "subject:"
what other checks should I be using in my function to tighten my security
further?
Ian
I can't be of much help to you there, since my focus is on a message
board and controlling the content that gets posted there -- versus your
email process where you want to control inappropriate usage. Where I
need to worry about html tags in the message(s), javascript insertion,
and detecting URL's, you need to be concerned about the injection of
'extra' email headers, etc.

You certainly can control access if your audience is geographically
'constrained'. Using .htaccess in your sub-directory, you can
"deny from" most or all of RIPE, and/or APNIC, etc. That should
cut down on the volume.
Reference: http://www.iana.org/assignments/ipv4-address-space

There's a lot more I need to understand and learn -- both on the
incomimg sewage side, and on the managing and controlling side.

One thing you should feel certain about is that the slimeball spammers
are wallowing in their septic tanks and reading these discussions.
If you control the software (in my case I wrote my PHP message board)
you should be circumspect about tactics you design and employ. It
sounds selfish, and it'll raise the hackles of the "Don't Do Security
Through Obscurity" crowd, but it'll help you tread water better.
Since my tactics of using .htaccess "deny from" and disallowing URL's in
the postings (URL's are not at all necessary in my message boards) can
not be thwarted ("he says innocently"), I'm willing to disclose that.

Disallowing any URL's in the payload of your email might be something
you could employ. As well, disallowing multi-part construction and
image injection might be something you could employ, too.

gl and keep up The Good Fight.
Jonesy
--
Marvin L Jones | jonz | W3DHJ | linux
38.24N 104.55W | @ config.com | Jonesy | OS/2
*** Killfiling google posts: <http//jonz.net/ng.htm>
Dec 5 '06 #5
..oO(mantrid)
>The function I have uses eregi()
eregi() should be avoided. The preg_* functions are faster and much more
flexible. Additionally in PHP 6 the ereg extension will be removed from
the core and moved to PECL, so it might not be available by default.
>to check POST data for "cc:" and "subject:"
what other checks should I be using in my function to tighten my security
further?
I wouldn't check for any particular header field at all, but for all
kinds of line breaks, which are required to inject malicious headers.

Micha
Dec 5 '06 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

11
2639
by: Bă§TăRĐ | last post by:
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just about all you can imagine within the product. I just personally rewrote/reformatted close to 150 of them myself. Nothing too fancy, mostly a lot of formatting. We have a little down time between Q/A and fixing any bugs they find so I decided to test the security of the site with Cross-Site...
5
2146
by: www.douglassdavis.com | last post by:
I have an idea for preventing sql injection attacks, however it would have to be implemented by the database vendor. Let me know if I am on the right track, this totally off base, or already implemented somewhere... Lets say you could have a format string such as in printf $format=" SELECT %s FROM %s WHERE id='%s' "; $fieldname="last_name"; $tablename="personel";
8
3963
by: stirrell | last post by:
Hello, One problem that I had been having is stopping email injections on contact forms. I did some research, read up on it and felt like I had created a working solution. I hadn't gotten any suspicious bouncebacks in quite some time and got many custom alerts I had set up for notifying me of injection attempts. However, just the other day, I got a bounceback from an AOL address which leads me to believe that an injection attempt was...
1
2895
by: Doug | last post by:
Hi, I have a question on sql injection attacks. I am building a tool that will be used exclusively by our other developers and will generate stored procs for them dynamically based off input from them. I wanted to add a "parser" functionality where based off the table and where clause they choose, the app will parse the query to see if it's valid. So I'm building a query something like this to run:
1
1516
by: runway27 | last post by:
i have implemented a way to avoid sql injection from the php website from this url http://in.php.net/mysql_real_escape_string from the "Example #3 A "Best Practice" query" section of this page following are the steps i have followed after the form values are submitted to a php file. step 1. if(get_magic_quotes_gpc()) { $username = stripslashes($_POST);
2
2233
by: Sudhakar | last post by:
A) validating username in php as part of a registration form a user fills there desired username and this is stored in a mysql. there are certain conditions for the username. a) the username should only begin either letters or numbers, and Underscore character example = user123, 123user, u_ser123, user_123 = completely case insensitive
7
1625
by: Cirene | last post by:
I am using formview controls to insert/update info into my tables. I'm worried about SQL injection. How do you recommend I overcome this issue? In the past I've called a custom cleanup routine like this: Public Function CleanUpText(ByVal TextToClean As String) As String TextToClean = TextToClean.Replace(";", ".") TextToClean = TextToClean.Replace("*", " ")
22
2665
by: Voodoo Jai | last post by:
I have a page the uses a form to pass a postcode to another page and I want to test it against an SQL Injection. What would be a safe (i.e NO DELETING of data ) statement to try and how would I format this to try in the form. I have limited the field to 10 chars so I know i would have to test it with a larger field because a hacker could just rewrite the form and use a lerger field for the attempted attack. Many thanks in advance
2
11203
Frinavale
by: Frinavale | last post by:
SQL Injection Attack A database is a collection of information organised in such a way that allows computer programs to access data (even large amounts) quickly and easily. Data within a database is organised into tables, which contain records/rows of fields. A field contains the actual data used by the program. Relational Database Management Systems (RDBMS or sometimes just DBMS) allow users the ability to access and manipulate data within...
0
9942
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
9792
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
10743
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
10847
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
1
7971
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
7129
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5797
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
5991
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
4612
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.